title: privilege-separation

date: 2016-01-12 14:40:04

categories:

tags:

  • Exercise1

    In order to gain deeper understanding of the internal architecture of the Touchstone web server,

    let’s use gdb to debug the banksv service.First, launch the server:

    $ ./touchstone

    • now use gdb to attach to the banksv service:
	ps -a
PID TTY TIME CMD
5583 pts/0 00:00:00 touchstone
5584 pts/0 00:00:00 filesv
5585 pts/0 00:00:00 banksv
5586 pts/0 00:00:00 httpd
5771 pts/1 00:00:00 ps
gdb -q
attach 5585
b Handle_post
Breakpoint 1 at 0x80d0a2f:file handle.c,line 74
set follow-fork-mode child
c
Breakpoint 1,handle_post(uri=0xbfeac5a8 "/",fd=6)
at handle.c :74
74 char *info="HTTP/1.1 200ok \r\n\r\n";
n
75 Body_t *b=getBody(&num);
n
77 char *name=b[0]->value;
n
78 char *pwd=b[1]->value;
n
80 char *type=b[num-1]->value;
p name
$1=0x8f894f0 "abc"
p pwd
$2=0x8f896f8 "123"
n
82 init_db();
s
init_db() at ./sql_lite3/sqlhelper.c :32
32 if(open_db()==syccess){

  • Exercise2

    Finally, you will write some code. Extend the current sqlite3 user table, to add more information.

    For instance, you can add time and IP address to the user table, so that when one user has logged

    in, the web page can display the last login time, the current login address, etc.. You may

    want to read some sqlite3 documentations.

  • Firstly, we pass the value of client_addr to httpd process though by executing

    write( disp_fds[1], inet_ntoa(client_addr), 50 ).

    And in httpd process, as a hub, we receive this value.

    Then we send this value to filesv and banksv processes respectively according to pipefd descriptor.

    So that, we can process this address to the browser.

  • Why we don't send it to filesv and banksv directly ?

    It is just a pity that the server has shut down these descriptors before new client coming...

  • Secondly, we should add additional fields for the user table.

    One is the ip_addr, the other is last_time(which can record the last login time).

  • Before modifying user table, we should drop it because some datas has existed in the user table.

    In order to get and update the last login time and last ip address, two functions need to be implemented.

    • As follows :
      void getLastState( const char * u_name,
    const char * u_passwd,
    char * last_ip_addr,
    char * last_time ){
    if(open_db()==SUCCESS){
    char sql[1024];
    sprintf(sql, "SELECT ip_addr,
    time from user WHERE name = '%s' AND passwd= '%s' ",
    u_name, u_passwd);
    int row,column;
    char **result;
    char *errorMsg;
    if( sqlite3_get_table(db, sql,
    &result,
    &row,
    &column,
    &errorMsg)==SQLITE_OK ){
    strcpy( last_ip_addr, result[2] );
    strcpy( last_time, result[3] );
    }
    else printf("getLastState error!\n");
    sqlite3_close(db);
    }
    else{
    if(DEBUG)
    printf("open failed![%s]\n",sqlite3_errmsg(db));
    }
    }
    void updateLoginState( const char * u_name,
    const char * u_passwd,
    const char * ip_addr,
    const char * datetime ){
    if(open_db()==SUCCESS){
    char sql[1024];
    sprintf(sql,
    "UPDATE user SET ip_addr = '%s',
    time = '%s' WHERE name = '%s' AND passwd = '%s' ",
    ip_addr,datetime,u_name,u_passwd );
    handle_db(db,sql);
    sqlite3_close(db);
    }
    else{
    if(DEBUG)
    printf("open failed![%s]\n",sqlite3_errmsg(db));
    }
    }

  • Exercise3
  • Modify the code snippet in the browser.c to send a constructed HTTP request

    to the web server to visit /etc/passwd file.

    That is, you can read that file remotely.

    修改browser.c文件中的char *req 构造请求字符串 访问/etc/shadow文件
     char *req="GET ../../etc/shadow HTTP/1.1\r\n\r\n";

  • Exercise4
  • Add some code to the server.c to add chroot support.

    Change root directory from / to /jail .

    After this, you can compile and run the new web server:
  • jails
  chroot("/jail")

  再次访问访问/etc/shadow文件
发现文件不存在

  • Exercise5
  • Modify your browser code to inject some shell code the server.

    Your shell code attack the httpd daemon and unlink the file /db/users.db.

    Using ret-to-libc attack can make this a little simpler.
     ebp+4 system地址
    ebp+8 exit地址
    ebp+12 rm db/users.db地址

  • Exercise6
  • Modify the function in the file server.c , to set up the user and group IDs properly

    when services are launched. Think carefully about how your code can set the user and group IDs by

    setresuid()、setgroups()、setresgid().
  • Set file and directory permissions to ensure that the static service

    cannot read the database files from the dynamic service, and vice versa.

    Try to modify the chroot-setup.sh to set the permission for different files.

信息安全实验三:privilege-separation的更多相关文章

  1. 20175314 实验三 敏捷开发与XP实践

    20175314 实验二 Java面向对象程序设计 一.实验内容 XP基础 XP核心实践 相关工具 二.实验步骤 (一)代码格式化 创建"175314.exp3"项目,在该项目下创 ...

  2. 科软-信息安全实验1-ICMP重定向

    目录 一 前言 二 Talk is cheap, show me the code 三 效果演示 四 遇到的问题&解决 一 前言 文章不讲解理论知识哈,想学习理论知识的,认真听课

  3. 实验三 Java基本程序设计(2)

                                             实验三 Java基本程序设计(2)                                           ...

  4. 实验三 Java基本程序设计

    第一部分:理论知识复习部分 第一章:第一章介绍的是Java程序设计的概述,通过两周的Java学习中,重温了Java“白皮书的关键术语,更深一步理解乐11个关键术语. 第二章:本章主要介绍如何安装JDK ...

  5. FPGA与simulink联合实时环路系列——实验三 按键key

    实验三 按键key 实验内容 在FPGA的实验中,经常涉及到按键的使用,按键是必不可少的人机交互的器件之一,在这些实验中,有时将按键的键值读取显示到数码管.LCD或者是通过串口传送到PC的串口助手上进 ...

  6. Java实验三

    20145113 20145102实验三 实验步骤 编码标准 编程标准包含:具有说明性的名字.清晰的表达式.直截了当的控制流.可读的代码和注释,以及在追求这些内容时一致地使用某些规则和惯用法的重要性 ...

  7. Verilog HDL那些事_建模篇笔记(实验三:按键消抖)

    实验三:按键消抖 首先将按键消抖功能分成了两个模块,电平检查模块和10ms延迟模块.电平检测模块用来检测按键信号的变化(是否被按下),10ms延迟模块用来稳定电平检查模块的输入,进而稳定按键信号,防止 ...

  8. 20145229&20145316 《信息安全系统设计基础》实验三 实时系统的移植

    实验封面 实验内容 1.安装ADS(安装文件在00-ads1.2目录下,破解方法00-ads1.2\Crack目录下) 2.安装GIVEIO驱动(安装文件在01-GIVEIO目录下) 3.把整个GIV ...

  9. 20145301&20145321&20145335实验三

    20145301&20145321&20145335实验三 这次实验我的组员为:20145301赵嘉鑫.20145321曾子誉.20145335郝昊 实验内容详见:实验三

随机推荐

  1. GCC依赖库顺序问题

    今天在把linux下做的ipmsg移植到windows过程中,因为包含了一个开源库SimpleSocket,而这个库又引用了winsock2,没太注意就写下了下面的makefile: g++ -o t ...

  2. Wad Manager的下载和运行

    关于WAD版的软件 WAD版的软件分为两种: 独立安装版:程序完全安装在Wii的内置存储空间上,可以在Wii的主界面直接启动软件. Forwarder版:程序安装在Wii的内置存储空间上,同时在SD卡 ...

  3. UVAlive3211 Now or later(2-SAT)

    题目链接:http://acm.hust.edu.cn/vjudge/problem/viewProblem.action?id=33799 [思路] 2-SAT. 二分安全间隔x,先到为1后到为0, ...

  4. [置顶] JSP中使用taglib出错终极解决办法

    jsp中 <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <c ...

  5. python:redis简单操作

    一,安装redis-py pip install redis easy_install redis 二,简单用法 import redis # 连接redis服务器 def conn_redis(): ...

  6. QFII

    QFII(Qualified Foreign Institutional Investors)合格的境外机构投资者的英文简称,中文“酋匪”,QFII机制是指外国专业投资机构到境内投资的资格认定制度. ...

  7. Python学习 1 一 Python2.75的安装及环境配置教程

    Python2.75的安装及环境配置教程 Python的语法简洁,功能强大,有大量的第三方开发包(模块),非常适合初学者上手.同时Python不像java一样对内存要求非常高,适合做一些经常性的任务方 ...

  8. win7 vs2010 安装cocos2d-x

    http://blog.csdn.net/leoncoder/article/details/12523727 新安装搭建cocos2d-X的跳过这里,看以下红色開始: cocos2d-x删除vs20 ...

  9. android Bluetooth(官方翻译)

    Bluetooth Using the Bluetooth APIs, an Android application can perform the following: 使用蓝牙APIs,一个And ...

  10. 非对称加密算法RSA--转

    RSA     这种算法1978年就出现了,它是第一个既能用于数据加密也能用于数字签名的算法.它易于理解和操作,也很流行.算法的名字以发明者的名字命名:Ron Rivest, AdiShamir 和L ...